CN111400681A - Data permission processing method, device and equipment - Google Patents

Data permission processing method, device and equipment Download PDF

Info

Publication number
CN111400681A
CN111400681A CN202010266153.6A CN202010266153A CN111400681A CN 111400681 A CN111400681 A CN 111400681A CN 202010266153 A CN202010266153 A CN 202010266153A CN 111400681 A CN111400681 A CN 111400681A
Authority
CN
China
Prior art keywords
role
authority
rule
data
permission
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010266153.6A
Other languages
Chinese (zh)
Other versions
CN111400681B (en
Inventor
钱陈胜
宋杨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chongqing Cloud Core Intelligent Technology Co ltd
Hangzhou Diji Intelligent Technology Co ltd
Original Assignee
Chongqing Cloud Core Intelligent Technology Co ltd
Hangzhou Diji Intelligent Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chongqing Cloud Core Intelligent Technology Co ltd, Hangzhou Diji Intelligent Technology Co ltd filed Critical Chongqing Cloud Core Intelligent Technology Co ltd
Priority to CN202010266153.6A priority Critical patent/CN111400681B/en
Publication of CN111400681A publication Critical patent/CN111400681A/en
Application granted granted Critical
Publication of CN111400681B publication Critical patent/CN111400681B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The embodiment of the specification provides a data authority processing method, a device and equipment, wherein the method comprises the steps of determining role identification corresponding to a user generating an original SQ L statement through a service program, matching data authority rules corresponding to the role identification from a preset role rule base according to the role identification, wherein the role rule base comprises a plurality of role identifications and data authority rules corresponding to the role identifications, identifying the operation type of the original SQ L statement, adapting the operation authority of the role identification under the operation type according to the data authority rules corresponding to the role identification, selecting an authority filter corresponding to the operation type if the adaptation is successful, and carrying out authority filtering on the original SQ L statement according to the data authority rules corresponding to the role identification, so that the problems that the rule logic of the data authority is high in coupling with the service code, the invasiveness of the system is high, and the later-stage authority change cost is high in the prior art are solved.

Description

Data permission processing method, device and equipment
Technical Field
The present disclosure relates to the field of computers, and in particular, to a method, an apparatus, and a device for processing data permissions.
Background
Data authentication (authentication): refers to verifying that the user has the right to access system data.
The traditional data authentication is realized by hard coding of developers, namely, the rule logic of the data authority is coupled with the service code. The mode can cause strong coupling of rule logic and service codes, high intrusiveness to a system and high later-stage permission change cost.
Disclosure of Invention
The specification provides a data authority processing method, a data authority processing device and data authority processing equipment, which are used for solving the problems that in the prior art, the coupling of rule logic and service codes of data authorities is strong, the intrusiveness to a system is high, and the later-stage authority change cost is high.
In order to achieve the above purpose, the embodiment of the invention adopts the following technical scheme:
in a first aspect, an embodiment of the present specification provides a data permission processing method, including:
determining a role identifier corresponding to a user generating an original SQ L statement through a business program;
according to the role identification, matching a data authority rule corresponding to the role identification from a preset role rule base, wherein the role rule base comprises a plurality of role identifications and corresponding data authority rules;
identifying the operation type of the original SQ L statement, and adapting the operation authority of the role identifier under the operation type according to the data authority rule corresponding to the role identifier;
and if the adaptation is successful, selecting a permission filter corresponding to the operation type, and performing permission filtering on the original SQ L statement according to the data permission rule corresponding to the role identification.
In a second aspect, an embodiment of the present specification provides a data authority processing apparatus, including:
the role determining module is used for determining a role identifier corresponding to a user generating an original SQ L statement through a service program;
the authority matching module is used for matching a data authority rule corresponding to the role identifier from a preset role rule base according to the role identifier, wherein the role rule base comprises a plurality of role identifiers and corresponding data authority rules;
the authority adaptation module is used for identifying the operation type of the original SQ L statement and adapting the operation authority of the role identifier under the operation type according to the data authority rule corresponding to the role identifier;
and if the adaptation is successful, selecting an authority filter corresponding to the operation type, and performing authority filtering on the original SQ L statement according to the data authority rule corresponding to the role identifier.
In a third aspect, an embodiment of the present specification provides a data authority processing device, including:
a processor; and the number of the first and second groups,
a memory arranged to store computer executable instructions that, when executed, cause the processor to:
determining a role identifier corresponding to a user generating an original SQ L statement through a business program;
according to the role identification, matching a data authority rule corresponding to the role identification from a preset role rule base, wherein the role rule base comprises a plurality of role identifications and corresponding data authority rules;
identifying the operation type of the original SQ L statement, and adapting the operation authority of the role identifier under the operation type according to the data authority rule corresponding to the role identifier;
and if the adaptation is successful, selecting a permission filter corresponding to the operation type, and performing permission filtering on the original SQ L statement according to the data permission rule corresponding to the role identification.
In a fourth aspect, embodiments of the present specification provide a storage medium. The storage medium is used to store computer-executable instructions. The computer executable instructions, when executed, implement the following process:
determining a role identifier corresponding to a user generating an original SQ L statement through a business program;
according to the role identification, matching a data authority rule corresponding to the role identification from a preset role rule base, wherein the role rule base comprises a plurality of role identifications and corresponding data authority rules;
identifying the operation type of the original SQ L statement, and adapting the operation authority of the role identifier under the operation type according to the data authority rule corresponding to the role identifier;
and if the adaptation is successful, selecting a permission filter corresponding to the operation type, and performing permission filtering on the original SQ L statement according to the data permission rule corresponding to the role identification.
The data authority processing method, the device and the equipment provided by the embodiment of the specification determine role identification corresponding to a user generating an original SQ L statement through a service program, match data authority rules corresponding to the role identification from a preset role rule base according to the role identification, the role rule base comprises a plurality of role identifications and data authority rules corresponding to the role identifications, identify the operation type of the original SQ L statement, adapt the operation authority of the role identification under the operation type according to the data authority rules corresponding to the role identification, select an authority filter corresponding to the operation type if the adaptation is successful, and filter the authority of the original SQ L statement according to the data authority rules corresponding to the role identification.
Drawings
In order to more clearly illustrate one or more embodiments or prior art solutions of the present specification, the drawings that are needed in the description of the embodiments or prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present specification, and that other drawings can be obtained by those skilled in the art without inventive exercise.
Fig. 1 is a schematic view of an application scenario of a data permission processing method provided in an embodiment of the present specification;
fig. 2 is a first flowchart of a data right processing method provided in an embodiment of the present disclosure;
fig. 3 is a second flowchart illustrating a data permission processing method according to an embodiment of the present disclosure;
fig. 4 is a third schematic flowchart of a data authority processing method provided in an embodiment of the present specification;
fig. 5 is a fourth schematic flowchart of a data authority processing method provided in an embodiment of the present specification;
fig. 6 is a fifth flowchart of a data authority processing method provided in an embodiment of the present specification;
fig. 7 is a sixth schematic flowchart of a data authority processing method provided in an embodiment of the present specification;
fig. 8 is a schematic block diagram illustrating a data right processing apparatus according to an embodiment of the present disclosure;
fig. 9 is a schematic structural diagram of a data right processing device provided in an embodiment of this specification.
Detailed Description
In order to make those skilled in the art better understand the technical solutions in the embodiments of the present disclosure, the technical solutions in the embodiments of the present disclosure will be clearly and completely described below with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are only a part of the embodiments of the present disclosure, and not all of the embodiments. All other embodiments that can be derived by a person skilled in the art from one or more of the embodiments described herein without making any inventive step shall fall within the scope of protection of this document.
Fig. 1 is a schematic view of an application scenario of a data permission processing method provided in an embodiment of this specification, and as shown in fig. 1, the scenario includes: a service layer, an agent layer and a database; in the service layer, a user can trigger execution of various service programs to further realize corresponding service logics, wherein the service logics comprise access to data in a database; and the agent layer is used for solving the data authentication problem when the user accesses the database at the service layer. The proxy layer comprises: role rule base, role authority adapter and authority filter.
And the role rule base is used for storing a plurality of role identifications and corresponding data authority rules. The role identification is used for distinguishing and characterizing the role category to which the user belongs, and the role identification corresponding to the user can be set in advance through user role mapping in a service layer; the data authority rule is used for recording a rule for performing an operation of a specified operation type on data in the target database, for example, performing an operation of a specified operation type on a certain data field in the target database. The role rule base may specifically include a role authority table and an authority rule table. The role authority table is used for identifying the corresponding relation between the role identifier and the data authority rule, and the authority rule table is used for storing the rule content of the data authority rule. The data authority rule content corresponding to a certain role identification can be determined by sequentially inquiring the role authority table and the authority rule table.
The role permission adapter is used for identifying the operation type of an original SQ L statement generated by a user through a service program, wherein the operation type of the original SQ L statement can comprise select, insert, update and delete.
The authority filter is used for carrying out authority filtering on an original SQ L statement according to a data authority rule corresponding to a role identifier after the role authority adapter successfully adapts the operation authority of the role identifier under a certain operation type to form an authority filtered SQ L statement, the authority filtered SQ L statement can limit the authority of a user for accessing data in a database, namely the authority filter firstly returns the authority filtered SQ L statement to a service layer, and then a service program of the service layer sends the authority filtered SQ L statement to the database for data access.
Specifically, after a user initiates a data access request to a database by calling a service program in a service layer, an agent layer intercepts an original SQ L statement generated by the user through the service program, so as to filter the authority of the original SQ L statement, the specific process includes determining a role identifier corresponding to the user, wherein the role identifier is used for representing a role category to which the user belongs, for example, in an enterprise, the role category can be divided based on user role levels, for example, roles such as staff, middle-level leader, high-level leader, boss and the like, each role corresponds to a unique role identifier, after determining the role identifier corresponding to the user, the role authority adapter matches a data authority rule corresponding to the role identifier from a preset role rule base according to the role identifier, the role rule base comprises a plurality of role identifiers and data authority rules corresponding to the role identifiers, the role authority adapter identifies an operation type of the original L statement, and performs role adaptation on the operation of the identified role identifier under the operation type according to the data authority rule corresponding to the role identifier, if the role adapter successfully adapts to the operation authority type, the SQ filter the SQ L of the original SQ L, and the SQ L filter the data access of the original SQ L data filter can be realized.
Further, the role rule base may include a role authority table for identifying a correspondence between the role identifier and the data authority rule, and an authority rule table for storing rule contents of the data authority rule; therefore, when the data authority rules corresponding to the role identification are matched from the preset role rule base according to the role identification, the data authority rules corresponding to the role identification can be determined from the role authority table; and searching the rule content contained in the data authority rule corresponding to the role identification from the authority rule table.
Furthermore, when the operation authority of the role identifier under the operation type is adapted according to the data authority rule corresponding to the role identifier, the operation type of the original SQ L statement is adapted through the role authority adapter, an authority rule analysis process matched with the operation type of the original SQ L statement is determined, then the data authority rule corresponding to the role identifier is analyzed through the matched authority rule analysis process, and if the operation authority of the role identifier under the operation type is analyzed, the adaptation is successful.
Further, when the authority filter corresponding to the operation type is selected and the original SQ L statement is subjected to authority filtering according to the data authority rule corresponding to the role identification, a route from the role authority adapter to the authority filter corresponding to the operation type can be created, then the data authority rule corresponding to the role identification and the original SQ L statement are sent to the corresponding authority filter through the route, and finally the authority filter is used for carrying out authority filtering on the original SQ L statement based on the received data authority rule.
Further, after the authority filtering is performed on the original SQ L statement, the original SQ L statement with the authority filtering completed may be returned to the business program, so that the business program accesses the target database based on the SQ L statement after the authority filtering.
Further, after the operation type of the original SQ L statement is recognized and the operation right of the role identifier under the operation type is adapted according to the data right rule corresponding to the role identifier, if the adaptation fails, a prompt message of "no operation right" is fed back to the service program to notify the service program that the current user has no right to access the target database.
Furthermore, the proxy layer can respond to the trigger request for modifying the role authority table and/or the authority rule table, and correspondingly modify the role authority table and/or the authority rule table, so that the data authority rule corresponding to the role identifier can be flexibly changed.
The technical solution of the present specification is further illustrated by the following examples.
Example one
Based on the application scenario architecture, fig. 2 is a first flowchart of a data permission processing method provided in an embodiment of the present specification, where the method in fig. 2 can be executed by the proxy layer in fig. 1, as shown in fig. 2, the method includes the following steps:
step S102, determining the role identification corresponding to the user generating the original SQ L sentence through the service program.
The role identifier is used to characterize a role category to which the user belongs, for example, in an enterprise, the role category may be divided based on the role level of the user, for example, the role category may be divided into: staff, middle level leader, high-rise leader, boss and the like, and each role corresponds to a unique role identification. The role identification corresponding to the user can be set in advance through user role mapping in the service layer.
After a user initiates a data access request to a database by calling a service program in a service layer, an agent layer intercepts an original SQ L statement generated by the user through the service program and starts to start an operation flow for performing authority filtering on the original SQ L statement, and the initiation of the operation flow is to determine a role identifier corresponding to the user who generates the original SQ L statement through the service program.
And step S104, matching the data authority rules corresponding to the role identifiers from a preset role rule base according to the role identifiers, wherein the role rule base comprises a plurality of role identifiers and the corresponding data authority rules.
The data authority rule is used for recording a rule for performing an operation of a specified operation type on data in the target database, for example, performing an operation of a specified operation type on a specific data field in the target database. By setting the role rule base, the operation authority of users belonging to different roles for the data in the target database can be set and managed.
Specifically, after the role identifier corresponding to the user is determined, the role authority adapter in the proxy layer matches the data authority rule corresponding to the role identifier from the preset role rule base according to the role identifier, so that all the operation authorities owned by the user for the data in the target database are determined.
And step S106, identifying the operation type of the original SQ L statement, and adapting the operation authority of the role identifier under the operation type according to the data authority rule corresponding to the role identifier.
The operation types of the original SQ L statement may include select, insert, update, delete, and the operation type corresponding to the original SQ L statement may be determined by parsing the original SQ L statement.
Specifically, after the role identifier corresponding to the user is determined, all data permission rules corresponding to the role identifier can be utilized to adapt the operation permission of the role identifier under the operation type, namely, whether the rules of the operation permission of the operation type of the current original SQ L statement are included in all the data permission rules corresponding to the role identifier is judged, if so, the adaptation is successful, otherwise, the adaptation is failed.
For example, all the data permission rules corresponding to the role identifier include a permission rule with an operation type selected, and if the operation type of the current original SQ L statement is selected, the adaptation is considered to be successful.
The authority filter can be set in plurality according to different operation types of the original SQ L statement, so as to respectively carry out authority filtering on the original SQ L statement of the specified operation type.
Specifically, after the role privilege adapter successfully adapts the operation privilege of the role identifier under the operation type, the corresponding privilege filter may perform privilege filtering on the original SQ L statement according to the data privilege rule corresponding to the role identifier to form a privilege filtered SQ L statement.
The data authority processing method provided by the embodiment of the specification comprises the steps of determining a role identifier corresponding to a user generating an original SQ L statement through a service program, matching a data authority rule corresponding to the role identifier from a preset role rule base according to the role identifier, wherein the role rule base comprises a plurality of role identifiers and data authority rules corresponding to the role identifiers, identifying the operation type of the original SQ L statement, adapting the operation authority of the role identifier under the operation type according to the data authority rule corresponding to the role identifier, selecting an authority filter corresponding to the operation type if the adaptation is successful, and performing authority filtering on the original SQ L statement according to the data authority rule corresponding to the role identifier.
Example two
In this embodiment, on the basis of the first embodiment, the data permission processing method shown in fig. 2 is expanded and supplemented.
In the method shown in fig. 2, the role rule base may include a role authority table and an authority rule table, the role authority table is used to identify a correspondence between a role identifier and a data authority rule, and the authority rule table is used to store rule contents of the data authority rule;
accordingly, as shown in fig. 3, the step S104 may include:
s104-2, determining a data authority rule corresponding to the role identification from the role authority table.
In the role authority table, each role identifier can correspond to at least one data authority rule, and only the corresponding relation between the role identifier and the data authority rule is recorded in the role authority table. Since only such correspondence is recorded in the role authority table, each data authority rule can be represented by an authority ID uniquely identified. One role identification may correspond to at least one authority ID at the same time. The corresponding relation between the role identification and the authority ID indicates that the user corresponding to the role identification has the specific operation authority specified by the data authority rule pointed by the authority ID.
Specifically, after determining the role identifier corresponding to the user who generates the original SQ L statement by the service program, the data permission rule having a correspondence relationship with the role identifier, that is, the permission ID having a correspondence relationship, may be determined from the role permission table.
S104-4, from the authority rule table, the rule content contained in the data authority rule having the corresponding relation with the role identification is searched.
The specific rule content of each data permission rule is stored in the permission rule table, and each data permission rule only corresponds to one unique permission ID.
Specifically, after the data permission rule having a corresponding relationship with the role identifier, that is, the permission ID having a corresponding relationship is determined, the specific rule content of the data permission rule pointed by the permission ID, that is, the rule content of the data permission rule having a corresponding relationship with the role identifier, may be found by querying the permission rule table.
By the aid of the hierarchical data authority rule matching mode, design cost of corresponding relation between the role identification and the data authority rule can be effectively reduced, meanwhile, the corresponding relation between the role identification and the data authority rule can be changed more flexibly, and change cost is reduced.
For example, in the method shown in fig. 3, the following steps may be further included: and responding to a trigger request for modifying the role authority table and/or the authority rule table, and correspondingly modifying the role authority table and/or the authority rule table.
Specifically, when the corresponding relationship between the role identifier and the data permission rule needs to be changed, the role permission table may be modified, for example, the corresponding relationship between the role identifier and the data permission rule may be changed by modifying the corresponding relationship between the role identifier and the permission ID; the data authority rules may also be modified, for example, the correspondence between the role identifier and the data authority rules may be changed by modifying the specific rule content of the data authority rules corresponding to the authority ID.
In addition, as shown in fig. 4, the step S106 may include:
s106-2, the operation type of the original SQ L statement is adapted through the role permission adapter, and a permission rule analysis flow matched with the operation type of the original SQ L statement is determined.
As shown in FIG. 1, plug-ins for performing identification operations corresponding to each operation type can be arranged in advance for identifying the operation type of an original SQ L statement, the plug-ins are connected in series in a chain mode and identify the operation type of the original SQ L statement in sequence, when the operation type of the original SQ L statement is identified, an authority rule analysis flow matched with the operation type of the original SQ L statement is selected from a plurality of preset authority rule analysis flows, and the authority rule analysis flow can be used for analyzing data authority rules belonging to the operation type of the current original SQ L statement.
In order to analyze the permission rules of different operation types in the data permission rules, the present embodiment may pre-configure a permission rule analysis flow for the data permission rules of different operation types.
S106-4, adopting the matched authority rule analysis flow to analyze the data authority rule corresponding to the role identification, and if the operation authority of the role identification under the operation type is analyzed, the adaptation is successful.
Specifically, after determining the permission rule parsing process matched with the operation type of the original SQ L statement, the permission rule parsing process may be used to parse the data permission rule corresponding to the role identifier matched in step S104, and determine whether all the data permission rules corresponding to the role identifier include the rule of the operation permission belonging to the operation type of the current original SQ L statement, if so, the adaptation is successful, otherwise, the adaptation is failed.
For example, if the permission rule including the operation type selected is resolved from all the data permission rules corresponding to the role identifier through the permission rule resolution flow, and the operation type of the current original SQ L statement is selected, the adaptation is considered to be successful.
Further, as shown in fig. 5, the step S108 may include:
s108-2, a route between the role permission adapter and the permission filter corresponding to the operation type is established.
After the operation type of an original SQ L statement is determined and the operation authority of the role identifier under the operation type is successfully adapted, the authority filter corresponding to the operation type can be selected to carry out authority filtering on the original SQ L statement, and after the authority filter for executing the authority filtering is selected, a route from the role authority adapter to the authority filter for executing the authority filtering can be created firstly.
And S108-4, sending the data permission rule corresponding to the role identification and the original SQ L statement to a corresponding permission filter through routing.
In order to reduce the data transmission amount, in the process of transmitting the data authority rules to the corresponding authority filter, only the data authority rules under the operation type matched with the authority filter can be transmitted.
S108-6, the authority filter carries out authority filtering on the original SQ L statement based on the received data authority rules.
Specifically, after receiving the data permission rules and the original SQ L statement, the permission filter can perform permission filtering (statement modification) on the original SQ L statement according to the specific rule content of the data permission rules, and change the original SQ L statement into the SQ L statement conforming to the data permission rules corresponding to the corresponding role identifiers.
Further, as shown in fig. 6, after completing the authority filtering on the original SQ L statement, the method further includes:
and step S110, returning the original SQ L statement which completes the authority filtering to the business program, so that the business program accesses the target database based on the SQ L statement after the authority filtering.
Specifically, after completing the authority filtering of the original SQ L statement, the agent layer needs to return the SQ L statement completing the authority filtering to the business program, and the business program sends the SQ L statement completing the authority filtering to the target database so as to perform the right-limited access to the target database.
Further, as shown in fig. 7, after the step S106, if the adaptation fails, the method may further include:
step S112, feeding back prompt information of 'no operation authority' to the service program. The prompt information is used for prompting the user to change or cancel the access operation of the target database.
The data authority processing method provided by the embodiment of the specification comprises the steps of determining a role identifier corresponding to a user generating an original SQ L statement through a service program, matching a data authority rule corresponding to the role identifier from a preset role rule base according to the role identifier, wherein the role rule base comprises a plurality of role identifiers and data authority rules corresponding to the role identifiers, identifying the operation type of the original SQ L statement, adapting the operation authority of the role identifier under the operation type according to the data authority rule corresponding to the role identifier, selecting an authority filter corresponding to the operation type if the adaptation is successful, and performing authority filtering on the original SQ L statement according to the data authority rule corresponding to the role identifier.
EXAMPLE III
On the basis of the same technical concept, the embodiment of the present specification further provides a data authority processing apparatus corresponding to the data authority processing method described in fig. 2 to fig. 7. Fig. 8 is a schematic diagram of module components of a data permission processing apparatus according to an embodiment of the present disclosure, where the apparatus is configured to execute the data permission processing method described in fig. 2 to 7, and as shown in fig. 8, the apparatus includes:
the role determination module 201 is used for determining a role identifier corresponding to a user generating an original SQ L statement through a service program;
the authority matching module 202 is used for matching a data authority rule corresponding to the role identifier from a preset role rule base according to the role identifier, wherein the role rule base comprises a plurality of role identifiers and corresponding data authority rules;
the permission adaptation module 203 is used for identifying the operation type of the original SQ L statement and adapting the operation permission of the role identifier under the operation type according to the data permission rule corresponding to the role identifier;
and if the adaptation is successful, the permission filter module 204 selects a permission filter corresponding to the operation type, and performs permission filtering on the original SQ L statement according to the data permission rule corresponding to the role identifier.
The data authority processing device provided by the embodiment of the specification determines a role identifier corresponding to a user generating an original SQ L statement through a service program, matches a data authority rule corresponding to the role identifier from a preset role rule base according to the role identifier, wherein the role rule base comprises a plurality of role identifiers and corresponding data authority rules thereof, identifies the operation type of the original SQ L statement, adapts the operation authority of the role identifier under the operation type according to the data authority rule corresponding to the role identifier, selects an authority filter corresponding to the operation type if the adaptation is successful, and performs authority filtering on the original SQ L statement according to the data authority rule corresponding to the role identifier.
Optionally, the role rule base may include a role authority table and an authority rule table, where the role authority table is used to identify a correspondence between a role identifier and a data authority rule, and the authority rule table is used to store rule contents of the data authority rule;
correspondingly, the permission matching module 202 determines a data permission rule having a corresponding relationship with the role identifier from the role permission table; and searching the rule content contained in the data authority rule having the corresponding relation with the role identification from the authority rule table.
Optionally, the permission adaptation module 203 adapts the operation type of the original SQ L statement through the role permission adapter, determines a permission rule parsing procedure matched with the operation type of the original SQ L statement, parses the data permission rule corresponding to the role identifier by using the matched permission rule parsing procedure, and succeeds in adaptation if the operation permission of the role identifier under the operation type is parsed.
Optionally, the permission filtering module 204 creates a route from the role permission adapter to the permission filter corresponding to the operation type;
sending the data authority rules corresponding to the role identification and the original SQ L statement to corresponding authority filters through routing;
the entitlement filter performs entitlement filtering on the original SQ L statement based on the received data entitlement rules.
Optionally, the apparatus further comprises:
and the filtering output module returns the original SQ L statement which completes the authority filtering to the business program, so that the business program accesses the target database based on the SQ L statement after the authority filtering.
Optionally, the permission adaptation module 203 feeds back a prompt message of "no operation permission" to the service program if the adaptation fails.
Optionally, the apparatus further comprises:
and the rule modification module responds to a trigger request for modifying the role authority table and/or the authority rule table and correspondingly modifies the role authority table and/or the authority rule table.
The data authority processing device provided by the embodiment of the specification determines a role identifier corresponding to a user generating an original SQ L statement through a service program, matches a data authority rule corresponding to the role identifier from a preset role rule base according to the role identifier, wherein the role rule base comprises a plurality of role identifiers and corresponding data authority rules thereof, identifies the operation type of the original SQ L statement, adapts the operation authority of the role identifier under the operation type according to the data authority rule corresponding to the role identifier, selects an authority filter corresponding to the operation type if the adaptation is successful, and performs authority filtering on the original SQ L statement according to the data authority rule corresponding to the role identifier.
It should be noted that the embodiment of the data permission processing apparatus in this specification and the embodiment of the data permission processing method in this specification are based on the same inventive concept, and therefore, for specific implementation of this embodiment, reference may be made to implementation of the corresponding data permission processing method, and repeated details are not described again.
Example four
On the basis of the same technical concept, corresponding to the data permission processing methods described in fig. 2 to fig. 7, an embodiment of the present specification further provides a data permission processing device, where the device is configured to execute the data permission processing method described above, and fig. 9 is a schematic structural diagram of the data permission processing device provided in the embodiment of the present specification.
As shown in fig. 9, the data right processing device may have a large difference due to different configurations or performances, and may include one or more processors 301 and a memory 302, where the memory 302 may store one or more stored applications or data. Memory 302 may be, among other things, transient storage or persistent storage. The application program stored in memory 302 may include one or more modules (not shown), each of which may include a series of computer-executable instructions in a data rights processing device. Still further, the processor 301 may be arranged to communicate with the memory 302, executing a series of computer executable instructions in the memory 302 on the data rights processing device. The data rights processing apparatus may also include one or more power supplies 303, one or more wired or wireless network interfaces 304, one or more input output interfaces 305, one or more keyboards 306, and the like.
In one particular embodiment, a data rights processing apparatus comprises a memory, and one or more programs, wherein the one or more programs are stored in the memory, and the one or more programs may comprise one or more modules, and each module may comprise a series of computer-executable instructions for the data rights processing apparatus, and the one or more programs configured for execution by the one or more processors comprise computer-executable instructions for:
determining a role identifier corresponding to a user generating an original SQ L statement through a business program;
according to the role identification, matching a data authority rule corresponding to the role identification from a preset role rule base, wherein the role rule base comprises a plurality of role identifications and corresponding data authority rules;
identifying the operation type of the original SQ L statement, and adapting the operation authority of the role identifier under the operation type according to the data authority rule corresponding to the role identifier;
and if the adaptation is successful, selecting a permission filter corresponding to the operation type, and performing permission filtering on the original SQ L statement according to the data permission rule corresponding to the role identification.
The data authority processing equipment provided in the embodiment of the specification determines a role identifier corresponding to a user generating an original SQ L statement through a service program, matches a data authority rule corresponding to the role identifier from a preset role rule base according to the role identifier, wherein the role rule base comprises a plurality of role identifiers and data authority rules corresponding to the role identifiers, identifies the operation type of the original SQ L statement, adapts the operation authority of the role identifier under the operation type according to the data authority rule corresponding to the role identifier, selects an authority filter corresponding to the operation type if the adaptation is successful, and performs authority filtering on the original L statement according to the data authority rule corresponding to the role identifier.
Optionally, when the computer executable instruction is executed, the role rule base includes a role authority table and an authority rule table, the role authority table is used for identifying a corresponding relationship between the role identifier and the data authority rule, and the authority rule table is used for storing rule contents of the data authority rule;
the matching of the data authority rule corresponding to the role identifier from a preset role rule base according to the role identifier comprises the following steps:
determining a data authority rule having a corresponding relation with the role identification from the role authority table;
and searching the rule content contained in the data authority rule having the corresponding relation with the role identification from the authority rule table.
Optionally, when executed, the adapting, according to the data permission rule corresponding to the role identifier, the operation permission of the role identifier under the operation type includes:
the operation type of the original SQ L statement is adapted through a role permission adapter, and a permission rule analysis flow matched with the operation type of the original SQ L statement is determined;
and adopting the matched authority rule analysis flow to analyze the data authority rule corresponding to the role identification, and if the operation authority of the role identification under the operation type is analyzed, the adaptation is successful.
Optionally, when executed, the computer-executable instructions select a permission filter corresponding to the operation type, and performing permission filtering on the original SQ L statement according to the data permission rule corresponding to the role identifier includes:
creating a route from the role permission adapter to a permission filter corresponding to the operation type;
sending the data permission rule corresponding to the role identification and the original SQ L statement to the corresponding permission filter through the route;
the permission filter performs permission filtering on the original SQ L statement based on the received data permission rules.
Optionally, the computer executable instructions, when executed, further comprise:
returning the original SQ L statement which completes the authority filtering to the business program so that the business program can access a target database based on the SQ L statement after the authority filtering.
Optionally, when executed, the identifying an operation type of the original SQ L statement, and adapting, according to the data permission rule corresponding to the role identifier, the operation permission of the role identifier under the operation type further includes:
and if the adaptation fails, feeding back prompt information of 'no operation authority' to the service program.
Optionally, the computer executable instructions, when executed, further comprise:
responding to a trigger request for modifying the role authority list and/or the authority rule list, and correspondingly modifying the role authority list and/or the authority rule list.
The data authority processing equipment provided by the embodiment of the specification determines a role identifier corresponding to a user generating an original SQ L statement through a service program, matches a data authority rule corresponding to the role identifier from a preset role rule base according to the role identifier, wherein the role rule base comprises a plurality of role identifiers and data authority rules corresponding to the role identifiers, identifies the operation type of the original SQ L statement, adapts the operation authority of the role identifier under the operation type according to the data authority rule corresponding to the role identifier, selects an authority filter corresponding to the operation type if the adaptation is successful, and performs authority filtering on the original SQ L statement according to the data authority rule corresponding to the role identifier.
It should be noted that the embodiment of the data permission processing apparatus in this specification and the embodiment of the data permission processing method in this specification are based on the same inventive concept, and therefore, specific implementation of this embodiment may refer to implementation of the corresponding data permission processing method described above, and repeated details are not described again.
EXAMPLE five
Based on the same technical concept, embodiments of the present specification further provide a storage medium for storing computer-executable instructions, where in a specific embodiment, the storage medium may be a usb disk, an optical disk, a hard disk, and the like, and when the storage medium stores the computer-executable instructions, the following processes can be implemented when the processor executes the computer-executable instructions:
determining a role identifier corresponding to a user generating an original SQ L statement through a business program;
according to the role identification, matching a data authority rule corresponding to the role identification from a preset role rule base, wherein the role rule base comprises a plurality of role identifications and corresponding data authority rules;
identifying the operation type of the original SQ L statement, and adapting the operation authority of the role identifier under the operation type according to the data authority rule corresponding to the role identifier;
and if the adaptation is successful, selecting a permission filter corresponding to the operation type, and performing permission filtering on the original SQ L statement according to the data permission rule corresponding to the role identification.
The computer executable instruction stored in the storage medium provided in the embodiment of the specification is executed by a processor, the role identification corresponding to a user generating an original SQ L statement through a service program is determined, the data permission rule corresponding to the role identification is matched from a preset role rule base according to the role identification, the role rule base comprises a plurality of role identifications and data permission rules corresponding to the role identifications, the operation type of the original SQ L statement is identified, the operation permission of the role identification under the operation type is adapted according to the data permission rule corresponding to the role identification, if the adaptation is successful, a permission filter corresponding to the operation type is selected, the original SQ L statement is filtered according to the data permission rule corresponding to the role identification, and after the operation permission of the role identification under the operation type of the original SQ L statement is adapted, a specific filtering operation is determined, so that the strong coupling relation between the role identification and the filtering operation permission is determined, and the problem of high intrusion cost of the existing data system and the high intrusion cost of the service system in the effective modification of the permission and the high-level intrusion technology is solved.
Optionally, when executed by a processor, the role rule base includes a role authority table and an authority rule table, where the role authority table is used to identify a correspondence between the role identifier and the data authority rule, and the authority rule table is used to store rule contents of the data authority rule;
the matching of the data authority rule corresponding to the role identifier from a preset role rule base according to the role identifier comprises the following steps:
determining a data authority rule having a corresponding relation with the role identification from the role authority table;
and searching the rule content contained in the data authority rule having the corresponding relation with the role identification from the authority rule table.
Optionally, when executed by a processor, the adapting, according to the data permission rule corresponding to the role identifier, the operation permission of the role identifier under the operation type includes:
the operation type of the original SQ L statement is adapted through a role permission adapter, and a permission rule analysis flow matched with the operation type of the original SQ L statement is determined;
and adopting the matched authority rule analysis flow to analyze the data authority rule corresponding to the role identification, and if the operation authority of the role identification under the operation type is analyzed, the adaptation is successful.
Optionally, the computer-executable instructions stored on the storage medium, when executed by the processor, select a permission filter corresponding to the operation type, and performing permission filtering on the original SQ L statement according to the data permission rule corresponding to the role identifier, includes:
creating a route from the role permission adapter to a permission filter corresponding to the operation type;
sending the data permission rule corresponding to the role identification and the original SQ L statement to the corresponding permission filter through the route;
the permission filter performs permission filtering on the original SQ L statement based on the received data permission rules.
Optionally, the storage medium stores computer-executable instructions that, when executed by the processor, further comprise:
returning the original SQ L statement which completes the authority filtering to the business program so that the business program can access a target database based on the SQ L statement after the authority filtering.
Optionally, when executed by a processor, the computer-executable instructions stored in the storage medium further include, after identifying an operation type of the original SQ L statement and adapting, according to the data permission rule corresponding to the role identifier, the operation permission of the role identifier under the operation type:
and if the adaptation fails, feeding back prompt information of 'no operation authority' to the service program.
Optionally, the storage medium stores computer-executable instructions that, when executed by the processor, further comprise:
responding to a trigger request for modifying the role authority list and/or the authority rule list, and correspondingly modifying the role authority list and/or the authority rule list.
The computer executable instruction stored in the storage medium provided by the embodiment of the specification is executed by a processor, the role identification corresponding to a user generating an original SQ L statement through a service program is determined, the data permission rule corresponding to the role identification is matched from a preset role rule base according to the role identification, the role rule base comprises a plurality of role identifications and data permission rules corresponding to the role identifications, the operation type of the original SQ L statement is identified, the operation permission of the role identification under the operation type is adapted according to the data permission rule corresponding to the role identification, if the adaptation is successful, the permission filter corresponding to the operation type is selected, the original SQ L statement is subjected to permission filtering according to the data permission rule corresponding to the role identification, and after the operation permission of the role identification under the operation type of the original SQ L statement is adapted, specific filtering operation is determined, so that the strong coupling relationship between the role identification and the filtering permission operation is reduced, and the problem of high intrusion of the logic intrusion of the existing technical change and the high-cost intrusion of the service system in the existing SQ L statement is solved.
It should be noted that the embodiment of the storage medium in this specification and the embodiment of the data permission processing method in this specification are based on the same inventive concept, and therefore, for specific implementation of this embodiment, reference may be made to implementation of the corresponding data permission processing method, and repeated details are not described again.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
In the 30 th century, it is obvious that improvements in Hardware (for example, improvements in Circuit structures such as diodes, transistors and switches) and software (for improvement in method flow) are distinguished for a technical improvement, however, as technology develops, many of the improvements in method flow today can be regarded as direct improvements in Hardware Circuit structure, designers almost obtain the corresponding Hardware Circuit structure by Programming the improved method flow into a Hardware Circuit, and therefore, it is impossible to say that an improvement in method flow is not realized by Hardware entity modules, for example, a Programmable logic Device (Programmable logic Device L) integrated Device P L D (for example, Field Programmable Gate Array (FPGA) is an integrated Circuit whose logic function is determined by user Programming of the Device), a digital system is "integrated" on a P L D by a designer without requiring a variety of integrated Circuit software manufactured and manufactured by a chip to design and manufacture, and manufacture a Hardware chip 5835468, and a Hardware program is easily written by a Hardware editor, a software editor, a Hardware editor, a software, a Hardware editor, a software, a Hardware interface, a software, a Hardware interface, a software, a Hardware interface, a software, a Hardware interface.
A controller may be implemented in any suitable manner, e.g., in the form of, for example, a microprocessor or processor and a computer readable medium storing computer readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, Application Specific Integrated Circuits (ASICs), programmable logic controllers (PLC's) and embedded microcontrollers, examples of which include, but are not limited to, microcontrollers 625D, Atmel AT91SAM, Microchip PIC18F26K20 and Silicone L abs C8051F320, which may also be implemented as part of the control logic of a memory.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functions of the units may be implemented in the same software and/or hardware or in multiple software and/or hardware when implementing the embodiments of the present description.
One skilled in the art will recognize that one or more embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, one or more embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the description may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The description has been presented with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the description. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
One or more embodiments of the present description may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. One or more embodiments of the specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only an example of this document and is not intended to limit this document. Various modifications and changes may occur to those skilled in the art from this document. Any modifications, equivalents, improvements, etc. which come within the spirit and principle of the disclosure are intended to be included within the scope of the claims of this document.

Claims (10)

1. A data authority processing method comprises the following steps:
determining a role identifier corresponding to a user generating an original SQ L statement through a business program;
according to the role identification, matching a data authority rule corresponding to the role identification from a preset role rule base, wherein the role rule base comprises a plurality of role identifications and corresponding data authority rules;
identifying the operation type of the original SQ L statement, and adapting the operation authority of the role identifier under the operation type according to the data authority rule corresponding to the role identifier;
and if the adaptation is successful, selecting a permission filter corresponding to the operation type, and performing permission filtering on the original SQ L statement according to the data permission rule corresponding to the role identification.
2. The method according to claim 1, wherein the role rule base includes a role authority table and an authority rule table, the role authority table is used for identifying a corresponding relationship between the role identifier and the data authority rule, and the authority rule table is used for storing rule contents of the data authority rule;
the matching of the data authority rule corresponding to the role identifier from a preset role rule base according to the role identifier comprises the following steps:
determining a data authority rule having a corresponding relation with the role identification from the role authority table;
and searching the rule content contained in the data authority rule having the corresponding relation with the role identification from the authority rule table.
3. The method according to claim 1, wherein the adapting, according to the data permission rule corresponding to the role identifier, the operation permission of the role identifier under the operation type includes:
the operation type of the original SQ L statement is adapted through a role permission adapter, and a permission rule analysis flow matched with the operation type of the original SQ L statement is determined;
and adopting the matched authority rule analysis flow to analyze the data authority rule corresponding to the role identification, and if the operation authority of the role identification under the operation type is analyzed, the adaptation is successful.
4. The method of claim 3, wherein selecting a permission filter corresponding to the operation type, and performing permission filtering on the raw SQ L statement according to the data permission rule corresponding to the role identification comprises:
creating a route from the role permission adapter to a permission filter corresponding to the operation type;
sending the data permission rule corresponding to the role identification and the original SQ L statement to the corresponding permission filter through the route;
the permission filter performs permission filtering on the original SQ L statement based on the received data permission rules.
5. The method of claim 1, further comprising:
returning the original SQ L statement which completes the authority filtering to the business program so that the business program can access a target database based on the SQ L statement after the authority filtering.
6. The method according to claim 1, wherein the identifying an operation type of the original SQ L statement, and adapting, according to a data permission rule corresponding to the role identifier, an operation permission of the role identifier under the operation type further comprises:
and if the adaptation fails, feeding back prompt information of 'no operation authority' to the service program.
7. The method of claim 2, further comprising:
responding to a trigger request for modifying the role authority list and/or the authority rule list, and correspondingly modifying the role authority list and/or the authority rule list.
8. A data right processing apparatus comprising:
the role determining module is used for determining a role identifier corresponding to a user generating an original SQ L statement through a service program;
the authority matching module is used for matching a data authority rule corresponding to the role identifier from a preset role rule base according to the role identifier, wherein the role rule base comprises a plurality of role identifiers and corresponding data authority rules;
the authority adaptation module is used for identifying the operation type of the original SQ L statement and adapting the operation authority of the role identifier under the operation type according to the data authority rule corresponding to the role identifier;
and if the adaptation is successful, selecting an authority filter corresponding to the operation type, and performing authority filtering on the original SQ L statement according to the data authority rule corresponding to the role identifier.
9. A data right processing device comprising:
a processor; and the number of the first and second groups,
a memory arranged to store computer executable instructions that, when executed, cause the processor to:
determining a role identifier corresponding to a user generating an original SQ L statement through a business program;
according to the role identification, matching a data authority rule corresponding to the role identification from a preset role rule base, wherein the role rule base comprises a plurality of role identifications and corresponding data authority rules;
identifying the operation type of the original SQ L statement, and adapting the operation authority of the role identifier under the operation type according to the data authority rule corresponding to the role identifier;
and if the adaptation is successful, selecting a permission filter corresponding to the operation type, and performing permission filtering on the original SQ L statement according to the data permission rule corresponding to the role identification.
10. A storage medium storing computer-executable instructions that when executed implement the following:
determining a role identifier corresponding to a user generating an original SQ L statement through a business program;
according to the role identification, matching a data authority rule corresponding to the role identification from a preset role rule base, wherein the role rule base comprises a plurality of role identifications and corresponding data authority rules;
identifying the operation type of the original SQ L statement, and adapting the operation authority of the role identifier under the operation type according to the data authority rule corresponding to the role identifier;
and if the adaptation is successful, selecting a permission filter corresponding to the operation type, and performing permission filtering on the original SQ L statement according to the data permission rule corresponding to the role identification.
CN202010266153.6A 2020-04-07 2020-04-07 Data authority processing method, device and equipment Active CN111400681B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010266153.6A CN111400681B (en) 2020-04-07 2020-04-07 Data authority processing method, device and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010266153.6A CN111400681B (en) 2020-04-07 2020-04-07 Data authority processing method, device and equipment

Publications (2)

Publication Number Publication Date
CN111400681A true CN111400681A (en) 2020-07-10
CN111400681B CN111400681B (en) 2023-09-12

Family

ID=71431468

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010266153.6A Active CN111400681B (en) 2020-04-07 2020-04-07 Data authority processing method, device and equipment

Country Status (1)

Country Link
CN (1) CN111400681B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112347469A (en) * 2020-11-10 2021-02-09 浙江百应科技有限公司 Low-intrusion data authority processing method and system and electronic equipment thereof
CN112528249A (en) * 2020-12-18 2021-03-19 杭州立思辰安科科技有限公司 Authority management method and device suitable for network security management platform
CN113765673A (en) * 2021-08-31 2021-12-07 中国建设银行股份有限公司 Access control method and device
CN115017175A (en) * 2022-05-12 2022-09-06 浪潮卓数大数据产业发展有限公司 Multi-user data processing method and system for teaching
CN115659406A (en) * 2022-12-09 2023-01-31 平安银行股份有限公司 Data access method

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090064272A1 (en) * 2007-08-31 2009-03-05 International Business Machines Corporation Database authorization rules and component logic authorization rules aggregation
CN102968599A (en) * 2012-10-25 2013-03-13 北京邮电大学 User-defined access control system and method based on resource publisher
CN104766023A (en) * 2015-02-02 2015-07-08 苏州全维软件科技有限公司 User management method based on ORACLE database
US20150339306A1 (en) * 2014-05-21 2015-11-26 International Business Machines Corporation Revising policy statements using hyperlinks
CN106250782A (en) * 2016-08-12 2016-12-21 天津西瑞尔信息工程有限公司 A kind of data permission control method resolved based on SQL statement and device
CN106570406A (en) * 2016-10-27 2017-04-19 深圳前海微众银行股份有限公司 Data level permission configuration method and device
CN107808103A (en) * 2017-11-13 2018-03-16 北京中电普华信息技术有限公司 The control method and control device of a kind of data permission
CN108509807A (en) * 2018-04-13 2018-09-07 南京新贝金服科技有限公司 A kind of the table data authority control system and method for based role
US10089480B1 (en) * 2017-08-09 2018-10-02 Fmr Llc Access control governance using mapped vector spaces
CN109815284A (en) * 2019-01-04 2019-05-28 平安科技(深圳)有限公司 A kind of method and apparatus of data processing
CN110895537A (en) * 2019-11-29 2020-03-20 中国银行股份有限公司 Method and device for freely inquiring authority control

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090064272A1 (en) * 2007-08-31 2009-03-05 International Business Machines Corporation Database authorization rules and component logic authorization rules aggregation
CN102968599A (en) * 2012-10-25 2013-03-13 北京邮电大学 User-defined access control system and method based on resource publisher
US20150339306A1 (en) * 2014-05-21 2015-11-26 International Business Machines Corporation Revising policy statements using hyperlinks
CN104766023A (en) * 2015-02-02 2015-07-08 苏州全维软件科技有限公司 User management method based on ORACLE database
CN106250782A (en) * 2016-08-12 2016-12-21 天津西瑞尔信息工程有限公司 A kind of data permission control method resolved based on SQL statement and device
CN106570406A (en) * 2016-10-27 2017-04-19 深圳前海微众银行股份有限公司 Data level permission configuration method and device
US10089480B1 (en) * 2017-08-09 2018-10-02 Fmr Llc Access control governance using mapped vector spaces
CN107808103A (en) * 2017-11-13 2018-03-16 北京中电普华信息技术有限公司 The control method and control device of a kind of data permission
CN108509807A (en) * 2018-04-13 2018-09-07 南京新贝金服科技有限公司 A kind of the table data authority control system and method for based role
CN109815284A (en) * 2019-01-04 2019-05-28 平安科技(深圳)有限公司 A kind of method and apparatus of data processing
CN110895537A (en) * 2019-11-29 2020-03-20 中国银行股份有限公司 Method and device for freely inquiring authority control

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112347469A (en) * 2020-11-10 2021-02-09 浙江百应科技有限公司 Low-intrusion data authority processing method and system and electronic equipment thereof
CN112528249A (en) * 2020-12-18 2021-03-19 杭州立思辰安科科技有限公司 Authority management method and device suitable for network security management platform
CN113765673A (en) * 2021-08-31 2021-12-07 中国建设银行股份有限公司 Access control method and device
CN115017175A (en) * 2022-05-12 2022-09-06 浪潮卓数大数据产业发展有限公司 Multi-user data processing method and system for teaching
CN115659406A (en) * 2022-12-09 2023-01-31 平安银行股份有限公司 Data access method

Also Published As

Publication number Publication date
CN111400681B (en) 2023-09-12

Similar Documents

Publication Publication Date Title
CN111400681A (en) Data permission processing method, device and equipment
CN109614823B (en) Data processing method, device and equipment
CN109032825B (en) Fault injection method, device and equipment
CN110223682B (en) Voice instruction arbitration method and device
CN110569428A (en) recommendation model construction method, device and equipment
CN111144132B (en) Semantic recognition method and device
CN111124480A (en) Application package generation method and device, electronic equipment and storage medium
CN108616361B (en) Method and device for identifying uniqueness of equipment
CN110019444B (en) Operation request processing method, device, equipment and system
CN110046100B (en) Packet testing method, electronic device and medium
CN106156050B (en) Data processing method and device
CN111737304B (en) Processing method, device and equipment of block chain data
CN113408254A (en) Page form information filling method, device, equipment and readable medium
CN109409037B (en) Method, device and equipment for generating data confusion rule
CN112181798B (en) Data recording method and device
CN111488569B (en) Authority determining and managing method, device, equipment and medium
CN114281688A (en) Codeless or low-code automatic case management method and device
CN114661826A (en) Data processing method, device and equipment based on block chain
CN115827589A (en) Authority verification method and device, electronic equipment and storage medium
CN111324778A (en) Data and service processing method and device and electronic equipment
CN113687973B (en) Control method, equipment and medium for log dynamic output
US20180174019A1 (en) Artificial intelligence analysis service
CN116432185B (en) Abnormality detection method and device, readable storage medium and electronic equipment
CN112231757B (en) Privacy protection method, device and equipment for embedded application
CN117421319A (en) Data verification method, device, electronic equipment and computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant